How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them

In 2013, the use of basic Quality Assurance (QA) practices has become standard practice for cybercrininals when launching a new campaign. In an attempt to increase the probability of a successful outcome for their campaigns — think malware infection, increased visitor-to-malware infected conversion, improved conversion of blackhat SEO acquired traffic leading to the purchase of counterfeit pharmaceutical items etc. — it has become a common event to observe the bad guys applying QA tactics, before, during, and after a malicious/fraudulent campaign has reached its maturity state, all for the sake of earning as much money as possible, naturally, through fraudulent means.

In this post we’ll profile a recently released desktop based multi-antivirus scanning application. It utilizes the infrastructure of one of the (cybercrime) market leading services used exclusively by cybercriminals who want to ensure that their malicious executables aren’t detected and that their submitted samples aren’t shared between the vendors before actually launching the campaign.

More details:

Sample screenshot of the desktop edition of the originally, Web-based, API-supporting cybercrime-friendly service:

Operating on the public Web since 2009, one of the most popular cybercrime-friendly underground alternatives to VirusTotal has been systematically evolving throughout the years. From the periodic introduction of new antivirus scanners to the introduction of anti-blacklist URL checking against the most popular public/commercially available databases, since 2010, its users can also take advantage of its API, and embed it within their campaigns/Web malware exploitation kits. Does the existence and public availability of the tool pose any significant threats?

Despite the fact that the (unofficial) desktop version is aimed to be a convenient way for a cybercriminal not wanting to access the Web interface of the service, it’s directly undermining the efficiency/bulk centered mentality of the API, imposing service limitations to the cybercriminal using it.